‘RegPwn’ Windows Registry Vulnerability Enables Full System Access to Attackers

There is a security hole in the Windows Registry called RegPwn. The "RegPwn" (CVE-2026-24291) Windows vulnerability is a high-severity flaw that lets low-privileged users get full SYSTEM access. The MDSec red team found the flaw and used it successfully in internal tests since January 2025.

It was fixed in a recent Microsoft Patch Tuesday update. The attack is aimed at how Windows handles its built-in accessibility tools, like the On-Screen Keyboard and Narrator. The accessibility features in Windows are meant to help people use the operating system. They mostly work in the user's context, but they also provide high-integrity access.

When a user opens a program like the On-Screen Keyboard, Windows makes a special registry key to save its settings. This registry key gives a low-privileged user full control, which is very important.

Registry Key Stores Accessibility Config (On-Screen Keyboard) (source: mdsec) A system process copies these settings into the local machine's registry hive when you log in. The logged-in user can still write to the new local machine registry key, which makes it easy for someone to change it. The weakness shows up when user-controlled settings work with the Windows Secure Desktop environment.

Learn more about the ZeroOwl newsletter Database of software vulnerabilities Software The Secure Desktop is a separate space where you can do things like lock your workstation or ask for administrator credentials. Winlogon Copies Set up HKLM with User Write Access (source: mdsec) The Secure Desktop is set up so that only trusted processes with SYSTEM privileges can run on it.

When a user activates this secure state, the system starts processes that handle accessibility settings and work as both the standard user and the SYSTEM account. An attacker can take advantage of this behavior by changing their user-level accessibility registry key and putting an opportunistic lock (oplock) on a certain system file. When the user locks their workstation, the system tries to copy the changed accessibility settings into the registry of the local machine.

The oplock makes the system stop for a short time, which gives the attacker a small window of time to act. During this break, the attacker changes the local machine registry key to a symbolic link that points to any system registry key.

The attacker is able to write any values they want to very limited parts of the Windows registry because the process that copies the data is running as SYSTEM. In their proof-of-concept, MDSec used this trick to change the execution path of a system service, which gave them a SYSTEM-level command prompt right away. As part of its regular security updates, Microsoft has successfully fixed CVE-2026-24291.

To protect their systems from this local privilege escalation vector, system administrators should definitely install the most recent Windows updates. MDSec has made its RegPwn exploit code available on GitHub for researchers and security teams to study. Follow MDSec on LinkedIn, X, and daily cybersecurity updates. Get in touch with us to have your stories featured.